Syslog Flow Export

Generate Syslog messages on initial flow-rule classification and end-of-flow for all flows handled by the ION device. These Syslog messages are in RFC 5424 format. You may configure to export flow logs from an ION device to one or more Syslog servers.
The minimum device software version required for flow logging is Release 5.1.17 or Release 5.2.3.
The
Format
of the flow log and description of the different fields exported in the flow logs are listed below:
Some of the fields are reserved for future use, and therefore, will not be populated in the flow log.
Field Name
Description
event time
Time event occurred on the ION device
src ip
Source IP address
dst ip
Destination IP address
dst port
Destination port
protocol name
Protocol name
reserved for future use
Field will be always blank in cgxFlowLogV1
reserved for future use
Field will be always blank in cgxFlowLogV1
pkts sent
Number of packets sent from src ip to dst ip
pkts recvd
Number of packets received from dst ip by src ip
bytes sent
Total bytes sent from src ip to dst ip
bytes recvd
Total bytes received from dst ip by src ip
src interface
Interface from which traffic originated
dst interface
Interface from which traffic egressed
path id
Prisma SD-WAN Path ID of the WAN Path
app name
Name of Prisma SD-WAN-matched Application
flow event
Event that triggered flow export:
  • New Flow
  • Flow Update
  • Delete Flow
zbfw classification rules
One or more ZBFW classification rules separated by a semi-colon(;). ZBFW classification rules include:
Rule Name: Source Zone Name: Destination Zone Name: Action: Action Code
  • ALLOW
    —Flow was Allowed
  • DENY
    —Flow was Denied
  • REJECT
    —Flow was rejected (Deny + Send TCP RST)
  • UNK_SOURCE_ZONE_DENY
    —Flow was Denied due to Unknown Source Zone
  • UNK_DESTINATION_ZONE_DENY
    —Flow was Denied due to Unknown Destination Zone
  • UNK_SOURCE_DESTINATION_ZONE_DENY
    —Flow was Denied due to Unknown Source and Destination Zone
Possible Action Code Values:
  • 1 = ALLOW
  • 2 = DENY
  • 3 = REJECT
  • 4 = UNK_SOURCE_ZONE_DENY
  • 5 = UNK_DESTINATION_ZONE_DENY
  • 6 = UNK_SOURCE_DESTINATION_ZONE_DENY
Sample flow log in RFC 5424 format as shown below:
<13>1 2020-01-28T23:46:17.000035+00:00 T1S3_SPOKE1 cgxFlowLogV1 13593 - -2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,0,0,0,0,,LondonPriWI1,15796434157670062,enterprise-http,New Flow,Allow-All:allow:1
Code copied to clipboard
Unable to copy due to lack of browser support.
The above Syslog message has a header and a body. The Syslog message values populated for the header and the body are:
Syslog Message Header
Header Component Sample Values
Priority
<13>
Version
1
Syslog export time in UTC
2020-01-28T23:46:17.000035+00:00
Element device name
T1S3_SPOKE1
App name to identify flow event logs
cgxFlowLogV1
Process id of log generator
13593
Message id (empty)
Message id field is not populated by the ION device at this time.
Structured data (empty)
Structured data field is not populated by the ION device at this time.
Syslog Message Body
Syslog Message Sample Body
Flow event log in CSV format
2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,0,0,0,0,,LondonPriWI1,15796434157670062,enterprise-http,New Flow,Allow-All:allow:1
Syslog message body shown above in CSV format can be interpreted as:
Headers
Sample Values
Time event happened
2020-01-28T23:46:17
src ip
10.2.53.102
src port
52520
dst ip
10.2.13.100
dst port
80
protocol name
tcp
pkts sent
0
pkts recvd
0
bytes sent
0
bytes recvd
0
dst interface
LondonPriWI1
path id
15796434157670062
app name
enterprise-http
flow event
New Flow
zbfw classification rules
Allow-All:self:unknown:allow:1

Recommended For You